From 7c174b61978428ff0624abda91ad154b6c245c54 Mon Sep 17 00:00:00 2001
From: Bob Weinand <bobwei9@hotmail.com>
Date: Mon, 2 May 2016 18:22:15 +0200
Subject: [PATCH] Fix use after free on AST expressions in constant
 declarations

---
 Zend/zend_vm_def.h     | 6 +-----
 Zend/zend_vm_execute.h | 6 +-----
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index a5d50abc262..3f149ec7abc 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -7170,17 +7170,13 @@ ZEND_VM_HANDLER(143, ZEND_DECLARE_CONST, CONST, CONST)
 	name  = GET_OP1_ZVAL_PTR(BP_VAR_R);
 	val   = GET_OP2_ZVAL_PTR(BP_VAR_R);
 
-	ZVAL_COPY_VALUE(&c.value, val);
+	ZVAL_COPY(&c.value, val);
 	if (Z_OPT_CONSTANT(c.value)) {
 		if (UNEXPECTED(zval_update_constant_ex(&c.value, EX(func)->op_array.scope) != SUCCESS)) {
 			FREE_OP1();
 			FREE_OP2();
 			HANDLE_EXCEPTION();
 		}
-	} else {
-		if (UNEXPECTED(Z_OPT_REFCOUNTED(c.value))) {
-			Z_ADDREF(c.value);
-		}
 	}
 	c.flags = CONST_CS; /* non persistent, case sensetive */
 	c.name = zend_string_dup(Z_STR_P(name), 0);
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 38ed5883afb..0ed33856f55 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -6083,17 +6083,13 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_DECLARE_CONST_SPEC_CONST_CONST
 	name  = EX_CONSTANT(opline->op1);
 	val   = EX_CONSTANT(opline->op2);
 
-	ZVAL_COPY_VALUE(&c.value, val);
+	ZVAL_COPY(&c.value, val);
 	if (Z_OPT_CONSTANT(c.value)) {
 		if (UNEXPECTED(zval_update_constant_ex(&c.value, EX(func)->op_array.scope) != SUCCESS)) {
 
 
 			HANDLE_EXCEPTION();
 		}
-	} else {
-		if (UNEXPECTED(Z_OPT_REFCOUNTED(c.value))) {
-			Z_ADDREF(c.value);
-		}
 	}
 	c.flags = CONST_CS; /* non persistent, case sensetive */
 	c.name = zend_string_dup(Z_STR_P(name), 0);